AML compliance requires cyber-security collaboration
Senior anti-money laundering executives at banks, brokerage firms and other financial services firms must possess a solid understanding of their companies' cyber security regimes and leverage the resources and knowledge of the specialists responsible, experts said at an anti-money laundering compliance conference in Las Vegas.
While distinct compliance units are typically responsible for cyber security and related attacks, the anti-money laundering function "should know what they're doing and you should know how you articulate that to your regulators because it's going to come up as a question," Gene Truono, global head of anti-money laundering at PayPal Holdings Inc, told the audience at the Association of Certified Anti-Money Laundering Specialists (ACAMS) event last week.
"It's OK to defer to the folks who are experts in it, but you should have a high-level understanding of how it works, what you're doing, and how that plays into your overall compliance program just like privacy or other areas that you may not manage," Truono said.
Truono offered his comments in response to a question from conference panel moderator John Byrne, executive vice president of ACAMS, who noted that a number of the conference's more than 2,000 attendees had submitted questions about cyber issues.
"These (cyber) folks have different skill sets... than AML professionals, so how do we stay engaged with them?" Byrne asked.
Truono said this issue emerged at a recent PayPal board meeting. He said that while cyber security is part of the compliance function at PayPal, the company has an information security unit that handles cyber attacks and noted that there is a "great threat" due to the payment services provider's global presence on the internet.
Cyber security professionals are "the sexy guys right now, they have loads of money, they have all the attention," said James Richards, director of financial crimes risk management at Wells Fargo & Co. Anti-money laundering units should "take advantage of the tools they're building, the tools they have," he said.
"If you've always wanted to do IP address analysis, they've got all that stuff," he said. "Make sure you're talking to them and getting referrals from them because there's a gap there sometimes and those guys are sitting on a boatload of information, a boatload of knowledge."
For instance, bank anti-money laundering investigations typically try to link customers, but they should also be looking for connections between employees, Richards said.
"Who's opened up the accounts? Who's waiving the fees? Who's doing the transactions? Sometimes the cyber guys have a greater ability to link your internal people than AML people do," Richards said.
It also is important not to "look at cyber in a vacuum," said Bob Molloy, chief anti-money laundering officer with Raymond James Financial Inc.
In many cases the cyber security team may believe it is capable of repelling a fraud attack with its controls, but the attackers may "switch channels" in cyberspace and call or take another approach "and then they start seeing the controls break down.